CVE-2026-53071

Summary

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp

l2cap_ecred_reconf_rsp() calls l2cap_chan_del() without holding l2cap_chan_lock(). Every other l2cap_chan_del() caller in the file acquires the lock first. A remote BLE device can send a crafted L2CAP ECRED reconfiguration response to corrupt the channel list while another thread is iterating it.

Add l2cap_chan_hold() and l2cap_chan_lock() before l2cap_chan_del(), and l2cap_chan_unlock() and l2cap_chan_put() after, matching the pattern used in l2cap_ecred_conn_rsp() and l2cap_conn_del().

Affected Software

VendorProductVersion RangeStatus
LinuxLinux15f02b91056253e8cdc592888f431da0731337b8 < 96dca51715d86559ed6ed8028e5445cecb80f3aeaffected
LinuxLinux15f02b91056253e8cdc592888f431da0731337b8 < 330b20ec97916961ee0e6c29c06bc0fa7c96e64caffected
LinuxLinux15f02b91056253e8cdc592888f431da0731337b8 < 0ccd75c51f620374086f359e906917676e699a1caffected
LinuxLinux15f02b91056253e8cdc592888f431da0731337b8 < 77a853aec710b2fdf41fa298ea3cbc9a4358f917affected
LinuxLinux15f02b91056253e8cdc592888f431da0731337b8 < fe1188abdae9b7a8199dcdfcf9244d5e5d61eb14affected
LinuxLinux15f02b91056253e8cdc592888f431da0731337b8 < dc89961b76f12aff47124c1df4bdb32a080f4d0caffected
LinuxLinux15f02b91056253e8cdc592888f431da0731337b8 < 5501d055a1ce3c747141e3955ba8cf034d193f3eaffected
LinuxLinux15f02b91056253e8cdc592888f431da0731337b8 < 42776497cdbc9a665b384a6dcb85f0d4bd927eabaffected
LinuxLinux5.7affected
LinuxLinux0 < 5.7unaffected
LinuxLinux5.10.258 <= 5.10.*unaffected
LinuxLinux5.15.209 <= 5.15.*unaffected
LinuxLinux6.1.175 <= 6.1.*unaffected
LinuxLinux6.6.141 <= 6.6.*unaffected
LinuxLinux6.12.91 <= 6.12.*unaffected
LinuxLinux6.18.33 <= 6.18.*unaffected
LinuxLinux7.0.10 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

ADP Enrichment

kernel: Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp

Additional References

References